Tag: dns

What is DNS Content Filtering?

A DNS Based Content Filtering service can prevent certain websites from loading on your network. Most services can filter by specific categories like malware, phishing, pornography, etc. Unlike some content filtering which can introduce security risks, DNS filtering does not intercept traffic between you and the website you’re visiting. It doesn’t require installing any software on your computer or device making it one of the safest ways to filter web content.

If you you accidentally typo a popular domain (such as typing .cm instead of .com) it would normally take you to a phishing site. A DNS filtering service would block your computer by returning an NXDOMAIN (domain does not exist) instead of the IP address effectively blocking the website from loading. The same technique can be used to prevent any undesirable category such as malware, pornography, adware, etc. from loading on your network.

The other benefit of using a DNS filtering service is it can force certain search and media services (like Google and YouTube) into safe mode preventing anyone using your network from even seeing adult content in their search results.

Why Should I use One?

It’s not only a wise way to protect yourself from malware and temptation, but also when letting guests on your WiFi network–you don’t have to worry (as much) about what they’re doing, and also a good idea when you start letting kids online. DNS filtering doesn’t take the place of parenting, and anyone with a little technical skill can bypass it, but it may help prevent your family and anyone using your network from accidentally stumbling across bad sites. If it prevents one cryptolocker infection it’s worth it.

I think families, churches, home networks, small businesses, organizations, schools, large enterprises, and governments could benefit from DNS filtering. You may not want to go overboard blocking content about illegal drugs and gambling, but at the very least you probably don’t want malware on your network!

Two DNS Filtering Services

I use two DNS content filtering providers services: OpenDNS and CleanBrowsing. Both have simple instructions to get started so I won’t repeat that here. Both are free, work well, and my decision to use one or the other on a particular network just depends on the situation–although in most cases either would be fine. It’s nice to have multiple options.

OpenDNS

OpenDNS has been around since 2006 and was acquired by Cisco in 2014. It offers several free plans and some paid options as well:

OpenDNS Family Shield(Free). Very simple–just set your router’s DNS servers to 208.67.222.123 and 208.67.220.123 and it’s pre-configured to block malicious and adult content.

OpenDNS Home (Free). For more advanced control, allows for granular category filtering as seen in the screenshots below. If your ISP has a dynamic IP you will need to use a DDNS client to update OpenDNS with your public IP. Below are some screenshots to show the granularity:

OpenDNS Home VIP($20/year) — Very affordable and adds the ability to white-list specific domains if they’re on the block list.

Cisco Umbrella — For businesses and larger enterprises.

CleanBrowsing

CleanBrowsing is a fairly new service, starting in February of 2017.

It offers three easy free filtering plans and 2 paid plains:

Security Filter (Free) – Set your router’s DNS to 185.228.168.9 and 185.228.169.9 to only block malicious domains (phishing and malware).

Adult Filter (Free)– Set DNS to 185.228.168.10 and 185.228.169.11 to block Adult domains, set search engines to safe mode (also includes the security filter).

Family Filter (Free)– Set DNS to 185.228.168.168 and 185.228.169.168 to block access to VPN domains that could be used to bypass filters, mixed content sites (like Reddit), and sets YouTube to safe mode (includes Adult and Security filters as well).

Much better Test Results Blocking Phishing Sites: CleanBrowsing blocked 100% of phishing sites on 3 out of 4 tests beating out OpenDNS in every area. On the real-time test it allowed 1 out of 12 sites through, however OpenDNS only blocked 2 out of 12 sites.

Both OpenDNS and CleanBrowsing have very fast DNS resolution rates (probably faster than your ISP), with CleanBrowsing resolving slightly faster for me but within milliseconds of each other. I think either service is worth using.

I have made a covenant with my eyes.How then could I look at a young woman? — Job 31:1 CSB

Why Is It Slow?

When you request a website, say, b3n.org, your computer needs the IP address. So it sends out packets through your router/firewall, your modem, and out to your ISPs DNS Servers. Your ISP’s DNS server will probably have it cached, if not it queries the authoritative (starting with the Root Name Servers) recursively to find out what the authoritative DNS servers are and then queries those DNS servers. It gets the IP address, and sends it back to your computer. Your computer can then query the server IP for b3n.org. Any latency along this process will result in delays. If you ever type in a url in the address bar and nothing happens for a few hundred milliseconds and then suddenly the website starts to load this is likely the problem.

Is Your DNS Hijacked by Your ISP?

It’s pretty easy for ISPs to hijack DNS queries. A small number of ISPs (Comcast, CenturyLink, Time Warner, Cox, Rogers, Charter, Verizon, Sprint, T-Mobile, Frontier, etc.) have been caught doing exactly that. Want to know why? Advertising revenue. When you misspell a domain some ISPs, instead of returning an NXDOMAIN (does not exist) like any RFC compliant DNS server it will resolve the domain anyway, point it at a page they control, and advertise to you! This is a really bad idea. But there is a way to prevent your ISP from doing this…

Using Google’s Nameservers

If you’re not tech savvy using 8.8.8.8 and 8.8.4.4 is probably better than your ISPs nameservers. It won’t hurt, and will probably help, but it may not help… it’s very trivial for an ISP to route those IPs to their own servers and some do.

Even if your ISP is pure goodness and would never do that, someone could setup a rogue DNS server posing as theirs and intercept all your DNS traffic.

The only solution is to query the Root name servers for authoritative DNS servers and use DNSSEC. Cut out any 3rd party DNS provider and run your own DNS server locally.

You can setup a local FreeBSD server and run Unbound on it, but if you’re already using a router like pfSense or OPNsense you can setup an Unbound server in a few clicks.

Open up pfSense, first make sure the forwarder under Services, DNS Forwarder, is disabled. Slowness warning: if you are running a low query lookup network such as on your home network having the forwarder disabled may cause lookups to be slower because you’re having to traverse the DNS servers regularly to get results… this can sometimes take a second or two and result in DNS timeouts while it’s trying to traverse the DNS nameservers. If you find that unbound performance is slow I’d suggest turning on forwarding mode which will use the DNS servers specified in pfSense under system, general setup. In this case I’d recommend pointing them at 8.8.8.8 and 8.8.4.4. If you run with forwarding enabled you should verify that your ISP is not hijacking your DNS results, if they are you should switch ISPs.

Go to Services, DNS Resolver.

Enable the DNS Resolver

Select the Network interfaces that you want Unbound to listen on (do not select ALL, you’ll definitly want to select LAN).

System Domain Local Zone Type: Transparent

Enable DNSSEC Support

Do NOT enable Forwarding Mode

You can also choose to register DHCP addresses in the DNS Resolver which is very handy if you’re using pfSense to manage DHCP.

. <-- this is a dot

Subscribe to Blog via Email

Enter your email address to subscribe to this blog and receive notifications of new posts by email.

Join 158 other subscribers

Email Address

b3n.org is a participant in the Amazon Services LLC Associates Program, an affiliate advertising program designed to provide a means for sites to earn advertising fees by advertising and linking to amazon.com